New guidelines of the EDPB on data controllers and data processors
The European Data Protection Board (“EDPB” or “Board”) has adopted the final version of guidelines no. 07/2020 on the concepts of controller and processor in the GDPR on its meeting of 7 July 2021, which renews and replaces the previous guidance no. 1/2010 of the Article 29 Data Protection Working Party on the same subject.
The definition of roles of data controller and data processor has been and continues to be the most controversial issue of data protection law, both during and prior to the entry into effect of the GDPR, as the assumed role determines the obligations and thus the corresponding responsibility. For this reason, the new EDPB guidelines are essential for all actors involved in data processing activities.
- Identifying the data controller
According to the GDPR, the person determining the purposes and means of the processing of personal data shall be considered the data controller. Among the elements of the concept, the new guideline explained the means of data processing in most detail, implementing a sharper distinction compared to the previous guidance.
In the opinion of the Board, when identifying the data controller, the means of data processing shall be understood only as the essential means, which are the following:
- type of personal data which are processed
- duration of the processing
- the categories of recipients with access to the data (including transfers of data)
- the categories of data subjects
The EDPB also emphasizes that actual access to personal data is not a requirement to be considered the data controller.
- Identifying the data processor
According to the GDPR, the data processor is the person who performs the processing operations on behalf of the data controller. The EDPB identified two explicit and one implied condition for the identification of the data processor. The two explicit conditions are as follows:
- The data processor is a separate entity from the data controller;
- The processing operations are performed solely on behalf of the data controller and the data are not processed for any purpose or interest other than those of the data controller.
In addition to the above, the third implied condition is that the discretion of the data processor includes the choice of non-essential means of data processing, such as the location of data storage, the software and methodology used for data processing operations.
There must be a written contract between the data controller and the data processor regarding the data processing, the absence of a contract constitutes an infringement of the GDPR on part of both actors.
The EDPB emphasized that the GDPR also imposes stricter obligations on data processors compared to the previous regulation. In addition, in the data processing agreement, the data controller may indirectly hold the data processor responsible for the performance of the data controller’s obligations under the GDPR, therefore, in order to limit the data controller’s liability, the most important thing is to select a responsible data processor, and conclude a processing agreement which duly takes into account all responsibilities.
- A person under the direct control of the data controller or data processor
Compared to the concepts of data controller and data processor, the role under the direct control of the data controller or data processor set out by Article 29 of the GDPR is less frequently discussed, but in practice the majority of natural persons perform data processing operations in this capacity.
This category includes a person who is not separate from the data controller or data processor. For example, neither the managing director nor a department of the company can be considered a separate entity from the company.
This category also includes a person who, although carrying out processing operations on behalf of the controller, has no independent decision-making power over these operations at all. Directly under the direct control are mainly workers and employees, but it is important to note that from the point of view of data protection law, not only workers employed under the Labour Code should be considered as employees, but also, where appropriate, staff employed under a service or agency contract.
When identifying direct control, in addition to the type of legal relationship, it is therefore necessary to examine the decision-making rights of the individual, his or her integration into the organization of the data controller or data processor, and the control exercised by the data controller or data processor.
For persons under direct control, the GDPR contains a single requirement that personal data may not be processed contrary to the instructions of the data controller. It is also possible and recommended in case of the persons under direct control to impose the obligations of the GDPR, as well as to sanction any conduct that infringes data protection law, in a contract or internal regulations.
Should you have any questions regarding the above, feel free to contact us.